Popular cruelty-free brand Tarte Cosmetics, found online and at major retailers like Sephora and Ulta, has become the latest company to misconfigure a database (actually two), exposing personal information for nearly two million customers to ransom specialists CRU3LTY.

The CRU3LTY cyber-criminal group specializes in finding unsecured databases, lifting info, wiping files then demanding a ransom for the data’s return. According to Kromtech Security Center, which found the open databases, there was a warning folder left by CRU3LTY demanding 0.2 bitcoins.

Interestingly though, the data appeared to be still there, although the group is likely in possession of a copy. The compromised data links to customers who shopped on Tarte’s website between 2008 and 2017, and includes names, email addresses, mailing addresses and the last four digits of credit-card numbers. The information offers an opportunity for follow-on phishing at attacks or scams.

“In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust,” said Kromtech chief security communications officer Bob Diachenko, in a post. “It appears that criminals have already accessed the customer data. With all of the other data leaks online it is possible that criminals could even cross-reference this data against other breaches and get the customer’s full card number or more information. Ransomware alone could be devastating to a company large or small if they do not have their data backed up or a security plan in place.”

The administrators at Tarte selected “public” for the MongoDB databases’ security setting instead of “private”, according to Diachenko, and both have been indexed by the Shodan IoT search engine, popular with cyber-criminals looking for vulnerable things to exploit. The oversight is one that should have been caught in a basic security check.

“Weak security practices can be the difference between putting your customers and their data at risk, and utilizing the immense benefits of the public cloud without any ramifications,” said Zohar Alon, co-founder and CEO, Dome9, via email.

He added, “As we’ve seen recently, any size security gap in the public cloud is a big one. IT must perform regular checks and balances of cloud environments so malicious attackers cannot take advantage of simple misconfigurations. There are a number of native and third-party tools available that can solve these rampant misconfiguration errors. As companies continue to expand and leverage the agility and ease of use of the public cloud, they must put basic but crucial security practices first and be held accountable for lapses.”

For its part, Tarte issued a boilerplate statement: “At Tarte, keeping customer information fully secure is our No. 1 priority. We are aware of this potential issue, which we are actively investigating. At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary.”